Airworthiness cybersecurity of remotely piloted aircraft systems (RPAS) – Draft Advisory Circular 21-57 v1.0

In this consultation, we asked for views on the Draft Advisory Circular (AC) 21-57 v1.0 - Airworthiness cybersecurity of remotely piloted aircraft systems (RPAS), which provides guidance on airworthiness cybersecurity for remotely piloted aircraft systems. The draft is primarily aimed at RPAS manufacturers and was also intended to help RPAS operators understand RPAS cybersecurity considerations.

The guidance focuses on protecting safety-critical RPA subsystems, ground-based supporting systems, C2 links, and other supporting infrastructure from cyber threats that could affect aviation safety.

The consultation opened on 5 November 2025 and closed on 5 December 2025. A summary of the feedback is below.

About this consultation

The consultation survey asked whether the content of AC 21-57 v1.0 was clear, sufficient, and fit for purpose.

We received 5 responses to the consultation. Three respondents consented to having their response published. Two respondents asked for their submission to remain confidential.

Respondents included RPA operators, manufacturers, consultants, and industry associations.

Respondents said that the draft guidance was timely. They said the content and structure was clear and fit-for-purpose as high-level guidance. Respondents also said it helped them identify and assess RPAS airworthiness cybersecurity risks for their operations

Summary of feedback

Several respondents questioned the audience of the AC and some respondents were unsure how relevant the guidance is to RPAS operators.

Primarily, the AC is intended for designers and manufacturers (OEMs) of RPAS. However, it is also intended to be useful to RPAS operators.

One respondent said non-OEM RPAS operators may have limited access to the technical system information needed to conduct a cybersecurity assessment. CASA acknowledges this, particularly for smaller RPAS. CASA also notes that airworthiness cybersecurity requirements are only engaged for higher complexity operations (typically at SORA SAIL III and above). For these operations, OEM cooperation is necessary for airworthiness assurance. This helps address relevant operational safety objectives (OSOs) and assure cybersecurity aspects. For lower complexity operations, AC 21-57 is primarily for information and awareness. Importantly, the guidance does not impose additional requirements beyond those required under the relevant operational risk assessment methodology for the application (for example SORA).

One respondent identified potential technical gaps about resilience against counter-UAS technologies and cyber-over-RF threats. Cyber-over-RF threats are within scope. They are listed in the threat mitigation tables in Appendix A.1 of the AC. Broader counter UAS technology, which involve the intentional interdiction of an RPAS by physical or technical means with the clear intention of terminating a flight, is out of scope.

One respondent suggested restructuring the guidance around SORA cybersecurity requirements. CASA intends that AC 21-57 remains independent of specific operational risk assessment methodologies (for example SORA). CASA will consider ways to clarify the relationship between the general cybersecurity guidance and the specific cybersecurity requirements of the SORA methodology.

CASA thanks respondents for their detailed and constructive submissions. CASA has published AC 21-57 after incorporating minor changes, where appropriate, based on the feedback received.

CASA will consider developing complementary guidance for RPAS operators on operational cybersecurity considerations. This may be in a future advisory circular for SORA-based risk assessments under Part 101 of CASR.

CASA will also consider improving the structure and content of AC 21-57 to clarify the relationship to specific operational risk assessment methodologies such as SORA.

Published responses

View submitted responses where consent has been given to publish the response.